Jumping in late here but let me agree the time service is crap. Here is how I overcame it.
I use our core Cisco router for the authoritative time source. It does a good job of keeping it's clock current. I do not sync it outside I do it manually if I ever notice a time difference. Since starting to use it I have only had to do this once or twice in the last few years and that was due to power outages. You do have to config it to be a time server but it is easy. The PDC emulator points to it for its time source. GPO tells everyone else to use the standard windows hierarchy. Here is the key for us; I set a scheduled task for every server, dc's and member servers alike to stop and start the time service twice a day. Once at 6 am and once at 6 pm. That keeps them right on the money. Since doing that I have not had any issues for several years. From: Andrew S. Baker [mailto:[email protected]] Sent: Friday, September 18, 2009 11:45 AM To: NT System Admin Issues Subject: Re: Why is Windows Time service crap? To follow up on what Ben and Bob have mentioned, you only want/need the DC with the PDCe role to get its time externally, and the other systems will get the time from that one. What I do then, is to run a script that sets the time server for all other systems to be blank. (Actually, I let 2 DCs sync outside) The time for all my systems remains in sync (my logging script checks this every morning). I have not used an external NTP application for the better part of this decade. -ASB: http://XeeSM.com/AndrewBaker On Fri, Sep 18, 2009 at 11:37 AM, Free, Bob <[email protected]<mailto:[email protected]>> wrote: [1] You configure the PDCe of the forest root to become the authoritative time source for your forest. There is a (fairly) strict hierarchy that is automagically maintained with the other DCs peering up to that one, DCs in child domains peering to their respective PDCe, member servers and workstations peering up to their respective DCs. "You" don't need to "point" anything to anything other than the root PDCe. I'd respectfully submit that there is something wrong in your configuration if things are that bad. Configure the Windows Time service on the PDC emulator ( http://go.microsoft.com/fwlink/?LinkId=91969) [2]Common issues I've seen are misconfiguration, firewall/network issues and users who have the user right to set system time. Configure a client computer for automatic domain time synchronization ( http://go.microsoft.com/fwlink/?LinkId=91376) I would have agreed with your sentiment in NT and actually ran the W32port of NTP on my DCs back than but for the vast majority of the >20K machines in my main forest w23time is sufficient. It has improved with every version of windows and the documentation is an order of magnitude better than it used to be. The biggest offset among my DCs today is +0.0128225s. We do have special use cases where we employ other methods but they are definitely the exception rather than the rule where a particular client needs millisecond accuracy.. Windows Time Service Technical Reference http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc773061%28WS.10%29.aspx> I would start at the top and get all the DCs properly synched and work your way down from there. What version of AD are you running? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, September 18, 2009 7:37 AM To: NT System Admin Issues Subject: Why is Windows Time service crap? Greetings! I have workstations and servers in my domain whose time is all over the place! Two servers I manually sync'd with a domain controller less than 24 hours ago are now once again 3 minutes behind. Workstations are up to 5 minutes one way or the other. I know this keeps coming up here, but again, please... 1. With multiple domain controllers, does one pick one of them, sync to an outside time source, then somehow point the other DCs to this DC? If so, then one puts in the name of the selected DC in the registry settings for time services? OR, does one make sure all the DCs point to the same external NTP server? 2. Why do servers and workstations drift off, time-wise? How to stop this? -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 [email protected]<mailto:[email protected]> P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org<http://www.aspca.org/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
